Insight by Proofpoint

Cybersecurity is as much a people issue as a technical one

 

Organizations constrained in budget terms, or don't have the technical expertise to run the latest cyber security tools, you can accomplish quite a lot by making sure that your people are trained to recognize that if somebody sends you an Excel macro from outside ... don't run that macro.

 

It is generally people in the finance department, and accounts payable, accounts receivable. You're actually moving money from point A to point B. That makes you a much more interesting target.

If the pandemic was a threat to public health and a technical challenge to federal IT departments, it was also a gigantic opportunity for ransomware-motivated hackers. That phenomenon persists, presenting an ongoing need for protection.

“It’s just simply too lucrative for our adversaries. And the really mundane stuff, it really does continue to bedevil federal agencies,” said Ryan Kalember, the executive vice president for cybersecurity at Proofpoint.

The threat vectors are well known, he added. “If you’re a large organization, like a meaningfully sized federal agency, it’s most of the time going to be email.” Agencies at the federal level, though, have been targeted somewhat less than those at the state and local level, and in the larger non-profit sector. The reason may be that hackers know federal agencies are the least likely to pay the ransom seekers.

As for those smaller organizations, protection is a matter of basics in the way Remote Desktop Protocols or virtual private networks are set up. Adversaries, Kalmeber said, will always prefer the path of least resistance.

Therefore, protection requires a combination of training of people, as well as technical fixes to support measures such as multi-factor authentication and what Kalember called the zero trust journey.

“So ultimately, yes, there are valuable technical solutions that can make sure fewer threats get delivered,” Kalember said. “But the people really are, in most cases, going to be that last line of defense.”

The generic anti-phishing training programs that most organizations use are inadequate, he said. More effective are trainings tailored to the specific functions done by the people you’re training. That is, people in finance are likely to see a whole different flavor of attack than, say, IT people. Moreover, as attacks get more focused on IT or the executive suite, it’s wise to narrow down the field of concentration.

“You might have 100,000 people in an agency, but maybe about 5 percent of them ever get an interesting attack,” Kalember said. “Being able to shrink the problem, and then tailor the training, I think is the way to succeed in the future.”

He described one agency that is versed in providing physical security. Its managers understood that cyber attacks it faced were selective, concentrating on the executives and those in the public eye.

“But apart from the VIPs, there is an interesting set of people that that we call actually, the VAP — very attacked people. They didn’t necessarily have the same level of profile, but you could probably find them on the internet with a Google or LinkedIn search. And they probably had access to something super interesting,” Kalember said.

Solid data protection and compliance programs must accompany training and enlisting everyone in the cybersecurity battle. But the technical and compliance measures won’t be effective without a carefully tailored people component, Kalember said.

Listen to the full show:

Featured speakers

  • Ryan Kalember

    Executive Vice President, Cybersecurity Strategy Proofpoint, Inc.

  • Tom Temin

    Host, The Federal Drive, Federal News Network

Sign up for breaking news alerts